Chain-bench是一个开源工具,用于审计你的软件供应链堆栈的安全合规性,它基于新的CIS软件供应链基准。 审计的重点是整个SDLC过程,它可以揭示从代码时间到部署时间的风险。为了赢得与黑客的竞争,保护你的敏感数据和客户的信任,你需要确保你的代码符合你组织的政策。
简介
Chain-bench是一个开源工具,用于审计你的软件供应链堆栈的安全合规性,它基于新的CIS软件供应链基准。 审计的重点是整个SDLC过程,它可以揭示出从代码时间到部署时间的风险。
快速启动
运行chain-bench的主要方式是作为一个独立的cli。它需要你账户的访问令牌和版本库的网址,以便访问你的SCM。
安装
通过你喜欢的安装方法获得Chain-bench。详见文档中的安装部分。比如说。
brew install chain-benchnix-env --install -A nixpkgs.chain-benchdocker run aquasec/chain-bench- 从github.com/aquasecurit…下载二进制文件
使用方法
chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>
使用docker
docker run aquasec/chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN>
使用GitHub动作
请看仓库:https://github.com/aquasecurity/chain-bench-action
输出示例
2022-06-13 15:22:18 INF 🚩 Fetch Starting
2022-06-13 15:22:19 INF 🏢 Fetching Organization Settings Finished
2022-06-13 15:22:29 INF 🛢️ Fetching Repository Settings Finished
2022-06-13 15:22:29 INF 🌱 Fetching Branch Protection Settings Finished
2022-06-13 15:22:29 INF 👫 Fetching Members Finished
2022-06-13 15:22:31 INF 🔧 Fetching Pipelines Finished
2022-06-13 15:22:31 INF 🏁 Fetch succeeded
ID Name Result Reason
-------- ----------------------------------------------------------------------------------------------- -------- ---------------------------------------
1.1.3 Ensure any change to code receives approval of two strongly authenticated users Passed
1.1.4 Ensure previous approvals are dismissed when updates are introduced to a code change proposal Failed
1.1.5 Ensure that there are restrictions on who can dismiss code change reviews Failed
1.1.6 Ensure code owners are set for extra sensitive code or configuration Failed
1.1.8 Ensure inactive branches are reviewed and removed periodically Failed 20 inactive branches
1.1.9 Ensure all checks have passed before the merge of new code Passed
1.1.10 Ensure open git branches are up to date before they can be merged into codebase Passed
1.1.11 Ensure all open comments are resolved before allowing to merge code changes Passed
1.1.12 Ensure verifying signed commits of new changes before merging Failed
1.1.13 Ensure linear history is required Passed
1.1.14 Ensure branch protection rules are enforced on administrators Failed
1.1.15 Ensure pushing of new code is restricted to specific individuals or teams Passed
1.1.16 Ensure force pushes code to branches is denied Failed
1.1.17 Ensure branch deletions are denied Failed
1.2.1 Ensure all public repositories contain a SECURITY.md file Failed
1.2.2 Ensure repository creation is limited to specific members Failed
1.2.3 Ensure repository deletion is limited to specific members Passed
1.2.4 Ensure issue deletion is limited to specific members Passed
1.3.1 Ensure inactive users are reviewed and removed periodically Failed 22 inactive users
1.3.3 Ensure minimum admins are set for the organization Passed
1.3.5 Ensure the organization is requiring members to use MFA Passed
1.3.7 Ensure 2 admins are set for each repository Failed
1.3.8 Ensure strict base permissions are set for repositories Passed
1.3.9 Ensure an organization's identity is confirmed with a Verified badge Failed
2.3.1 Ensure all build steps are defined as code Failed No build job was found in pipelines
2.3.5 Ensure access to the build process's triggering is minimized Passed
2.3.7 Ensure pipelines are automatically scanned for vulnerabilities Passed
2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files Failed Repository is not scanned for secrets
2.4.2 Ensure all external dependencies used in the build process are locked Failed 16 task(s) are not pinned
2.4.6 Ensure pipeline steps produce an SBOM Passed
3.1.7 Ensure dependencies are pinned to a specific, verified version Failed 16 dependencies are not pinned
3.2.2 Ensure packages are automatically scanned for known vulnerabilities Passed
3.2.3 Ensure packages are automatically scanned for license implications Passed
4.2.3 Ensure user's access to the package registry utilizes MFA Passed
4.2.5 Ensure anonymous access to artifacts is revoked Passed
4.3.4 Ensure webhooks of the package registry are secured Passed
-------- ----------------------------------------------------------------------------------------------- -------- ---------------------------------------
Total Passed Rules: 19 out of 36
2022-06-13 15:22:31 INF Scan completed: 13.108s
要求
需要提供一个具有这些范围权限的访问令牌:repo (所有),read:repo_hook ,admin:org_hook 。read:org
支持的供应商
我们目前支持Github作为第一个SCM,使用PAT认证。
请注意
Chain-bench尽可能地实现了CIS软件供应链基准。 你可以在AVD - Software Supply Chain CIS - 1.0下找到当前实现的检查,这些检查每晚都会根据chain-bench metadata.json文件进行更新。 如果chain-bench没有正确地实现基准中描述的测试,请在此提出问题。如果要报告基准本身的问题(例如,你认为不合适的测试),请加入CIS社区。
